pleaes remove all ity.im ads from your website

by on January 17, 2013

malwareUpdates: Read below for the apparent cures!

I had a client call me today that was experiencing a message repeatedly popping up on their Windows 7 computer. The message was “pleaes remove all ity.im ads from your website”. Note that the first word is misspelled (“pleaes” probably meaning “please”). Suspecting some sort of malware, I did some research but found remarkably little information about it. The information I did find was all from within a day or two at the most and did confirm my suspicion of malware. However, I did not find any definitive resolution.

I proceeded with my normal process of sniffing out malware but I did not find anything myself. So I went ahead and ran my usual ace-in-the-hole anti-malware utility Combofix. It removed the following file:

C:\Windows\SysWow64\Email.exe

However, the pop-up still occurs.

Looking at the pop-up window in Task Manager, it appears to be tied to explorer.exe. I’ve also noticed that the explorer.exe process is using an unusual amount of CPU (20-40% when seemingly doing nothing), plus its RAM usage goes through the roof, taking up 1 – 3 GB. I would suspect it would use more, except this machine only has 4 GB.

At this point, I’m still researching how to fix the problem and testing various methods to clean it. I’ll update this post as I find a resolution. Please comment below if you have encountered this malware and if you have found a successful resolution.

IMG_1987Update 1: It appears that running TDSSKiller from an external boot device identifies a Rootkit malware, Rootkit.Boot.SST.b. Another commenter suggested that HitmanPro identifies the rootkit as Trojan.MBR.Alureon!IK. Some research shows that these may be the same rootkit with different names. I will continue to monitor the infected PC to ensure it stays clean.

Thanks to commenters “Bretnerjm” and “Carolin Gehle” for their help! And a special shout-out to my friend and fellow virus slayer Rusty Herman. He suggested running TDSSKiller from an external drive to me earlier this morning. I just hadn’t had a chance to test it out until now.

Update 2: For those who are less technically savvy, you may want to try downloading and using Windows Defender Offline. It is a ready-made executable from Microsoft that can create a bootable USB or CD/DVD for dealing with rootkits such as these. I have not had a chance to try this myself for this particular infection, so I would love to hear any feedback on this method. It appears a few commenters have had success using this method, so this is what I now recommend since it is probably the easiest method for most people.

  • TechPro

    I have this too. SuperAntiSpyware does not show anything, nor does AVG.

    • So far, it appears this malware has been around for about 2 – 3 days and nothing can detect it. As far as I know, this is quite unusual!

  • Tshirt_n_jeans

    Norton 360 does not recognize this either.   Spent an hour on CHAT with Norton and they said they have not heard of this yet…..

    • It seems no security company knows anything about this. That’s why I started this blog page.

  • Amber

    Hi There – thanks for your concern – I too noticed it around 4 days ago and have not downloaded anything on my computer except the odd email from work.

    I did notice that Windows did an auto update around the time it happened – not sure if this is usful.  Am
    currently running SUPERAntiSpyware and then will do malwarebytes.

    I have so much security on my computer and have even removed myself as Administrator to avoid these pesky viruses that seem to invade us.  I have no idea how I have gotten it and I personally am blaming the Auto Windows update.

    So gratefuly for people such as yourselves who help us usless computer people out – Good luck and will let you know how I go – but from what I have read on other blogs – I think I am wasting my time.

    Cheers – Amber

  • Carolin Gehle

    Hello,

    (first, sorry for my not so well English…)
    This message appears on my Notebook for 3 days now. Yesterday I had enough of it and reinstalled my whole system. So after a long night I thought it will be fixed but the message still appears, which leads me to the assumption ist has to do something with some Windows Update…I’m not that good in computer stuff, but I have never heard of some Virus that is able to come back after the system has been installed new.
    So, I hope this helps you a bit.
    Greets,
    Carolin

  • K J L

    ive tried ccleaner.malwarebytes and microsoft anti virus…all run in safe mode and no luck…its still there but its only popping up on one certain site.

  • Times6plus

     I  am also experiencing the same issue.  I did a restore prior to the MS updates being applied and the problem still exists.  Any new info from anyone regarding this problem?

  • Carolin Gehle

    I tried to exchange the infected explorer.exe with one from an other computer. It helped for a moment, but everytime I restart my Laptop the popup occurs again. Any suggestions how this change can be made permanent?

    • Tshirt_n_jeans

      It seems to be something infecting explorer.exe.  I did the same thing and within 15 minutes the problem is back….    Explorerframe.dll maybe, but I can’t find any AV/Malware app that will identify ANYTHING about this issue.  Maybe it is in a Theme…….

  • Audreyletizia

    I did an earlier date restore and it doesn’t work…i am not even using explorer
    Also it’s doing it for 4 days now…please find something i’m not that good with computers !

  • Bretnerjm

    Sorry for my english but i fix this problem with tdsskiller in a livecd
    This infection is a mbr infection
    good luck for all

    • OK, I will attempt using TDSSKiller and let everyone know the results. Thanks!

      • Tshirt_n_jeans

        It did not work on my machine.  Did not even recognize there was a problem.

    • Bretnerjm

      tdsskiller work for me only in a livecd not in safe mode and normal mode

      • Tshirt_n_jeans

        Did it identify the problem?    Any other info you have would be greatly appreicated.

        • It appears that the combination of running TDSSKiller from an external boot device is successful. I will continue monitoring the infected machine to ensure this, but preliminary results seem successful. The identified threat was Rootkit.Boot.SST.b.

  • K J L
  • Carolin Gehle

     Because TDSS Killer didn’t work on my system, I used Hitman Pro. It deleted the Trojan named “Trojan.MBR.Alureon!IK”. Till now, It’s working fine.

    • Great to hear! I’ve updated the blog post to reflect this.

      • Carolin Gehle

         Thank you for mentioning my name! 🙂 And thanks for this article, it will be very helpful for people with the same Virus/Rootkit.

  • It also appears that Windows Defender Offline may help fix this issue. Has anyone tried this yet?

  • Amber

    Ok thanks guys just ran Hitman Pro – and it seems to have disappeared – I have run it 3 times and rebooted.  Sorry – Im a dummy didn’t note down the log – but its gone – thanks for your hard work and research , advice  and most of all time.

    Warm Regards, Amber

  • BubbaJoe

     What about services?  Any damage to BITS, BFE, Shared Access, etc.?

  • Try Kaspersky AV. I don’t normally recommend specific programs, and I usually stick to free ones. However when I got this virus (or whatever it is) recently none of the usual free stuff could find it. My nephew recommended Kaspersky so I gave in and got it. It ran, found an issue that was running at the moment, stopped it, rebooted and it hasn’t popped up since. It’s been 3 days now with no problems after several restarts (which is when it always hit me before). Maybe other paid antivirus work as well, I just know that this one worked for me. 

    Also check your IE history. I don’t use IE, but when I checked the history it had a lot of sites that I had never visited. I added them all to my block list. 

  • BubbaJoe

    Does anyone have the dropper file name, MD5, sha1, or sha256?

  • Ron Huber

    I downloaded Windows Deffender Offline and ran it from a CD.  It identified it as Trojan.MBR.Alureon!IK and removed it.  All is well.  Thank you for this fine, timely tip!

  • savvy1

    Had this problem for 4 days now.Ran free version of hitman pro.Revealed nothing  at all but problem immediately disappeared following the scan.Have rebooted twice since yesterday and whatever it was it seems to have gone now.Maybe worth trying?

    • Donna

      I got the same thing approx four days ago, I have ran macaffee and spybot and nothing takes it off.  What to do next.  How do I get rid of this pop up.

      • The simplest thing to try is Windows Defender Offline. There is a link to download it in the blog post.

  • Kennygfunk

    From what I can see, this virus blocks Windows Defender from working.. It’s stoping me from uninstalling any other programs as well.

    • You’re probably right. The key is to download and create the Windows Defender Offline bootable disc/flash drive from a different PC. The only sure way to remove an MBR rootkit is to boot run a scan from external bootable media (offline scan) so that the malware has no chance of being loaded into memory.

  • Cesare Baratta

    Thanks very much guys, I run TDSSKiller and a rootkit malaware named Rootkit.Boot.SST.b has been eliminated.
    Regards

    • BubbaJoe

       Cesare,

      Did you run TDSS Killer from a boot device?

  • Pavanagem

    I did this two days ago and it seems to have cured the problem. Thanks so much. I’ve tried many different things but nothing seemed to work. 

  • Guest

    Hitman Pro did not find the virus but the ity.im pop-ups stayed away and the computer ran faster.  Next ran Windows Defender Offline and it found the virus on the quick scan and fixed the computer’s boot sector.  

    • Guest

      Unfortunately I am now having boot problems with the computer.

      • What kind of problems? Has anyone else seen any sort of boot problems?

  • mognaga

    dopo windows defender offline, il mio pc non si avvia più (solo da boot dick)
    come posso fare a riparare i file di avvio?

Previous post:

Next post: